commit 0408fd1fbb1f843a9a94c29473bf3acfc69cd467
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Apr 11 11:06:22 2014 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Apr 11 11:09:09 2014 +0200
tree 2578be22fc970fada4fbcdf4b1154026230d4c69
parent 7afb8a0dca4036a118b62eac170575415d2350c2

Add extendedKeyUsage checking in SSL modules

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8575181..3f0cd6d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -38,6 +38,11 @@
 #include "polarssl/debug.h"
 #include "polarssl/ssl.h"
 
+#if defined(POLARSSL_X509_CRT_PARSE_C) && \
+    defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+#include "polarssl/oid.h"
+#endif
+
 #if defined(POLARSSL_PLATFORM_C)
 #include "polarssl/platform.h"
 #else
@@ -4770,15 +4775,19 @@
                           const ssl_ciphersuite_t *ciphersuite,
                           int cert_endpoint )
 {
-#if !defined(POLARSSL_X509_CHECK_KEY_USAGE)
-    ((void) cert);
-    ((void) ciphersuite);
-    ((void) cert_endpoint);
-#endif
-
 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
     int usage = 0;
 #endif
+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+    const char *ext_oid;
+    size_t ext_len;
+#endif
+
+#if !defined(POLARSSL_X509_CHECK_KEY_USAGE) &&          \
+    !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+    ((void) cert);
+    ((void) cert_endpoint);
+#endif
 
 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
     if( cert_endpoint == SSL_IS_SERVER )
@@ -4818,8 +4827,26 @@
 
     if( x509_crt_check_key_usage( cert, usage ) != 0 )
         return( -1 );
+#else
+    ((void) ciphersuite);
 #endif /* POLARSSL_X509_CHECK_KEY_USAGE */
 
+#if defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
+    if( cert_endpoint == SSL_IS_SERVER )
+    {
+        ext_oid = OID_SERVER_AUTH;
+        ext_len = OID_SIZE( OID_SERVER_AUTH );
+    }
+    else
+    {
+        ext_oid = OID_CLIENT_AUTH;
+        ext_len = OID_SIZE( OID_CLIENT_AUTH );
+    }
+
+    if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
+        return( -1 );
+#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
+
     return( 0 );
 }
 #endif /* POLARSSL_X509_CRT_PARSE_C */